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Quantum key distribution (QKD) allows two 
remote parties to grow a shared secret key. Its 
security is founded on the principles of quantum 
mechanics, but in reality it significantly relies on 
the physical implementation. Technological im- 
perfections of QKD systems have been previously 
explored, but no attack on an established QKD 
connection has been realized so far. Here we 
show the first full-field implementation of a com- 
plete attack on a running QKD connection. An 
installed eavesdropper obtains the entire 'secret' 
key, while none of the parameters monitored by 
the legitimate parties indicate a security breach. 
This confirms that non-idealities in physical im- 
plementations of QKD can be fully practically ex- 
ploitable, and must be given increased scrutiny if 
quantum cryptography is to become highly se- 
cure. 

Secret communication provided by cryptography is 
needed in many activities of the human civilization - 
military, commerce, government and private affairs. The 
long history of cryptography is a continual cat-and-mouse 
game of cryptographic systems being broken and replaced 
with new, stronger onesi. Quantum cryptography, as one 
of the latest techniques, promised for the first time a se- 
curity which is not based on mathematical conjectures 
but on the laws of physics^. Technologically, quantum 
cryptography has matured to experiments over <250 km 
distance 4 , and several commercial systems are available. 
Although security of the QKD protocol is unconditionally 
proven 5 -^, deviations of actual hardware from the ideal- 
ized model still present a challenge. Various attacks have 
been proposed exploiting imperfections of components 
in QKD scheme: light modulators^, photon sources^^ 
and detectors^— . However none of these proposals im- 
plemented an attack that eavesdropped the secret key, 
leaving the question of practicality of technological vul- 
nerabilities unresolved. 
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We picked one of the proposed attack methods, fully 
implemented the eavesdropper Eve, and used it to attack 
an installed QKD line. The QKD system under attack 
is a well-designed one used previously in several experi- 
ments^—, and openly documented 2 ^. We treated QKD 
hardware and software as 'given' and kept all its settings 
as they had been set for QKD prior to this study. The 
hardware and software are assumed fully known to Eve, 
according to Kerckhoffs' principle^ 2 -. 

In this paper, we demonstrate the full- field implemen- 
tation of this eavesdropping attack in realistic conditions 
over a 290-m fibre link between the transmitter Alice and 
the receiver Bob. From multiple QKD sessions over a few 
hours, Eve obtains the same 'secret' key as Bob, while 
the usual parameters monitored in the QKD exchange 
are not disturbed, leaving Eve undetected. 



RESULTS 

A. The faked-state attack 

We have chosen a 'faked-state attack' (Fig. [T^i)— . Eve 
uses a replica of the legitimate receiver unit (Bob 7 ) to 
intercept and measure all quantum states sent by Alice. 
She further uses a faked-state generator (FSG) to force 
Bob to output identical bases and bit values, so that Eve 
and Bob have the same raw key. Eve also records un- 
encrypted communication in the classical channel, and 
computes the final secret key (identical to Alice's and 
Bob's) by repeating the same sifting, error correction and 
privacy amplification procedures^ as Bob. Unlike the 
traditional intercept-resend attack^, the faked-state at- 
tack does not introduce errors in the key and therefore is 
not detected by the QKD protocol. 

Eve's full control of Bob's detection outcomes is crucial 
to the success of the faked-state attack. Several tech- 
nological vulnerabilities allow for the needed degree of 
contro l 12 i 15 i 17 i 23 . We have chosen to exploit blindabil- 
ity and controllability of single-photon detectors under 
strong illuminatio n 15 ! 16 . The QKD system under attack 
uses passively quenched single-photon avalanche photo- 
diodes (APDs, Fig. [2^). Ordinarily, the arrival of a single 
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FIG. 1. Eavesdropping experiment, (a) Principle of the faked-state attack, (b) Attack on installed QKD system spanning 
four buildings at the campus of the National University of Singapore. In Alice, polarization-entangled photon pairs were 
produced in a type-II spontaneous parametric down- conversion (SPDC) sourc e 18 ! 20 . One photon was measured locally by 
Alice; the other one was sent through a 290 m single-mode (SM) fibre line to Bob. Eve was inserted at a mid-way point. All 
three parties used identical polarization analysers (PA); clicks were registered with timestamp units (TS). Under attack, Bob's 
detectors clicked controllably when illuminated by an optical pulse with peak power > P t h- In the example, to address the 
target detector for vertically polarized photons, Eve sent a faked state with vertical polarization and peak power 2Pth- Each 
of Bob's detectors in the conjugate (45° rotated) basis received a pulse of peak power Pth/2, and thus remained blinded. See 
Methods Section [A] for a complete description of Eve's setup. In the diagram: BS, 50/50% beamsplitter; PBS, polarizing 
beamsplitter; HWP, half- wave plate; FPC, fibre polarization controller; BBO, /3-barium-borate crystal. 



photon generates an electron-hole pair that leads to an 
avalanche in the APD. The resulting current spike is de- 
tected by a comparator and a pulse-shaper as the arrival 
of a single photon, a 'click'. Spurious capacitances of 
the device result in a finite recharging time and cause 



a detector deadtime of ~ 1 |xs. If the illumination level 
is increased such that no full recharge occurs between 
individual photons, the avalanche becomes progressively 
smaller. Under higher illumination conditions, it falls 
below the comparator threshold and can not be iden- 
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TABLE I. Fidelity of Eve's control over Bob. 
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FIG. 2. Detector blinding and control, (a) Circuit dia- 
gram of the custom-built single-photon detectors used in the 
QKD system under attack^ - —. An avalanche photodiode 
(APD, PerkinElmer C30902S) is biased 15 V above its break- 
down voltage from a voltage supply +Vbias ~ 220 V. The 
avalanche current is fed by a charge stored in a small stray 
capacitance (~ 1.2 pF) and is detected via a voltage spike at 
the 100 Q resistor. The avalanche quickly self-quenches due 
to discharge of the capacitance and concomitant bias voltage 
drop; its recharge and recovery of single-photon sensitivity 
takes ~ 1 lis. (b) Oscillograms show one of the detectors 
blinded after switching on 38 pW continuous-wave (c.w.) il- 
lumination, (c) Oscillograms show the same detector blinded 
with 17 llW c.w. illumination. A superimposed optical trig- 
ger pulse with a peak power of 2.3 mW never causes a click, 
whereas one with P t h — 2.6 mW always does. 



tified as a click; the detector becomes blind (Fig. [JJd). 
Hence, by injecting high light levels into the channel, it 
is straightforward for Eve to indefinitely blind Bob's de- 
tectors. Under these illumination conditions, the APD no 
longer behaves as a single-photon detector, but as a clas- 
sical photodiode generating photocurrent proportional to 
the optical power. A strong light pulse with peak power 
above a threshold P t h generates a current spike that mim- 
ics the signal of a legitimate photon (Fig. [2k) 16 . 
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the line Eve-Bob. 





(c.w.) circularly polarized light, which splits evenly be- 
tween Bob's detectors. To selectively make one detector 
click while keeping the other three blinded, Eve adds a 
linearly polarized pulse of the same polarization as the 
target detector, and peak power 2P t h- By using four 
LDs aligned to vertical, horizontal and ±45 ° polariza- 
tions, Eve has the option to deliberately launch a click in 
any of Bob's detectors. She then executes the faked-state 
attack. 

Before attack, we inserted Eve into the line and manu- 
ally aligned her polarizations to match Bob's detector set- 
tings. Then we characterized fidelity of her control over 
Bob. During a 5 min session Eve received 8,736,719 clicks 
and resent an equal number of faked states to Bob. Of 
the latter, 99.75% caused clicks in Bob, and more impor- 
tantly those clicks were always produced in the intended 
detector (Table [Tj). Since the synchronization protocol in- 
volves Bob sending to Alice precise timing of every click 
registered 21 , Eve can easily identify and discard the few 
faked states that did not register at Bob, and that will 
be discarded in the reconciliation between Alice and Bob. 
After this, she has an identical record with Bob. Owing 
to small imperfections in tuning Eve's FSG (Methods 
Section [Aj), Bob had a probability of 5 x 10 -7 to register 
simultaneous clicks in two detectors, corresponding to 4 
events in 323 seconds. In this QKD implementation, such 
double clicks were treated as noise and discarded (which 
is obviously insecure but easily patchable by assigning in- 
stead random bit values 24 ). We remark that our control 
scheme could be extended to reproduce arbitrary clicks 
in several detectors with a more complex FSG, which is 
however not needed in the present experiment. 



B. Experimental implementation 

This QKD implementation has four detectors and uti- 
lizes a four-state protocol with polarization coding and 
passive basis choice (Fig. [TJd). Eve can blind all detec- 
tors using a laser diode (LD) emitting continuous-wave 



C. QKD performance and key extraction 

After Eve's calibration, we ran multiple 5-10 min QKD 
sessions over a few hours, some with Eve inserted in 
the fibre line and some without. We recorded perfor- 
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key was identical to Bob's (the script and data sample 
are available, Methods Section fC]) . 

If the source, analysers and transmission medium were 
perfect, this sifted key would directly constitute the se- 
cret key. Under realistic conditions, the sifted keys of Al- 
ice and Bob are not identical (the difference being quan- 
tified by the quantum bit error ratio). Further steps of 
error correction and privacy amplification complete the 
public exchange Alice-Bob to produce the secret key^£. 
Since Eve has the same sifted key as Bob, she can apply 
the same processing as Bob to it, and is guaranteed to 
produce the same secret key. 



DISCUSSION 



FIG. 3. QKD performance with and without eaves- 
dropping as measured by Alice and Bob. Session with- 
out Eve in the fibre line (left). Eve installed (right). The 
traces in the top chart correspond to the raw key rate, sifted 
key rate and final secret key rate after error correction and 
privacy amplification^^. The bottom chart shows the quan- 
tum bit error ratio (QBER). 



mance statistics, all public communication data between 
Alice and Bob, and the generated keys. During QKD, 
the legitimate parties monitor key rates to check the line 
transmission. Fig. [3] shows results from two typical ses- 
sions, one eavesdropped and one not. As expected, in- 
serting Eve does not alter the rates. Small differences 
in rate averages of the two sessions are not caused by 
eavesdropping but rather are normal medium-term align- 
ment fluctuations in this QKD system. The quantum 
bit error ratio (QBER) of 5-6% is typical for this ex- 
perimentpiSr— , and well below the security limit for the 
Bennett-Brassard-Mermin 1992 (BBM92) protocol used 
here£. 

In the sessions where Eve was connected, she extracted 
Bob's sifted key from her clicks and the recorded pub- 
lic communication Alice-Bob. Alice and Bob identify 
photon pairs by time-tagging each detector click and ex- 
changing these times over the public channel 21 . This al- 
lows them to synchronize their clocks and to keep track 
of what photons were detected. Bob also announces his 
detection bases, and Alice answers for which Bob's clicks 
she detected the other photon of the pair in the same 
basis (these pairs form the sifted key). Since no mea- 
surement outcomes are revealed, this information can be 
entirely public. In the present implementation, this chan- 
nel is established over a transmission control protocol and 
internet protocol (TCP/IP) wireless connection, and is 
passively wiretapped by Eve. She watches the discus- 
sion, synchronizes her clock with Bob's clock, then sifts 
her key keeping only those of her clicks which are also 
kept by Alice and Bob in the sifted key. We ran Eve's 
processing script on recorded experimental data and ver- 
ified that in all eavesdropped QKD sessions, Eve's sifted 



The particular weakness exploited in this work can be 
closed by developing suitable countermeasures 2 ^. The 
incoming blinding light may be detected, either by a sep- 
arate watchdog detector or by monitoring electrical and 
thermal parameters of the APDs. Single-photon sensi- 
tivity of Bob's APDs can be tested at random times by a 
calibrated light source placed inside Bob. The eavesdrop- 
per introduces 212 ns time delay (Methods Section fB]) . 
however monitoring may be impractical, and Eve can 
compensate this delay by shortening the fibre line. Eve's 
need to calibrate her FSG before the attack cannot be 
considered a reliable deterrent, because she may calibrate 
non-obtrusively 2 ^. Other countermeasure proposals that 
break the described attack exist and may be relatively 
easy to implement. However a countermeasure that in- 
corporates into the existing security proofs ^ 26 ! 27 , such 
as the one in ref. [HI, has not yet been implemented. 

In conclusion, we have demonstrated a complete and 
undetected eavesdropping attack against an established 
QKD system. The success of this demonstration proves 
that a technological imperfection in a QKD system can be 
fully exploited using off-the-shelf components. As there 
is a variety of potentially exploitable loopholes in both re- 
search and commercial QKD systems^&lS r 17 ! 23 , Eve can 
design a tailored attack on one or the other implemen- 
tation problem. We have briefly discussed how one par- 
ticular loophole can be closed. However, a more pointed 
question is what problems still lurk unnoticed in the gap 
between the theoretical description and the practical sys- 
tems^. Just as in classical cryptography, an ongoing 
search for backdoors is required to build hardened imple- 
mentations of quantum cryptography for real-world use. 



METHODS 

A. Complete Eve's setup 

The task of Eve's FSG is to make the target detector 
at Bob click, while keeping his other detectors silent. An 
optical pulse of a peak power P t h at the target detector 
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causes it click with 100% probability. In order for the 
FSG depicted in Fig. [TJd to work, a pulse of power Pth/2 
should never cause the two conjugate-basis detectors to 
click. Unfortunately, for the actual Bob's polarization 
analyser (PA) this condition did not hold, because one of 
its detectors turned out to have significantly higher click 
thresholds than the other three (see Fig. [4]). Note that 
for blinding power >1 uW, the click thresholds of all four 
detectors rose uniformly. We tried to change the circular 
blinding polarization to elliptical, such that the detector 
with higher click threshold received much less blinding 
power than the other three. This achieved almost perfect 
fidelity of Eve's control over Bob, with diagonal elements 
>96.2% (in terms of Table [Tj) and off-diagonal elements 
<0.005%. The latter meant Eve had slightly less than 
full information on the sifted key, compromising the se- 
curity but requiring an additional cryptanalytic task to 
complete the eavesdropping. 

We then improved the control method by including a 
polarized pre-pulse that dynamically increased blinding 
power at the orthogonal-basis detectors 100 ns before the 
main trigger pulse was sent (Fig. [5]). These pre-pulses 
were emitted by four additional laser diodes. With this 
setup, clicks never occurred in a wrong detector. When 
we calibrated Eve's control of Bob by sending the same 
faked state at a fixed rate, the click probability in any tar- 
get detector was 100%, and double clicks did not occur. 
However as we discovered later in the recorded experi- 
mental data, a cross-talk between adjacent faked states 
(which could be as closely spaced as 550 ns during eaves- 
dropping) led to slightly less than 100% click probability, 
as Table U illustrates. There were also a few double clicks. 
Nevertheless Eve managed to recover complete sifted key 
by proper post-processing, which shows robustness of this 
control method. 



B. Jitter and insertion delay introduced by Eve 

After initially inserting Eve into the line, her four de- 
tection and Bob control channels had slightly different 
insertion delays (varying by <1 ns). Since Alice and Bob 
used a tight coincidence window to identify photon pairs, 
we had to equalize Eve's insertion delays by adjusting 
the time-delay circuits (shown in Fig. [5]). As can be 
seen in Fig. [6l the resulting relative coincidence time 
distributions were indistinguishable from those without 
eavesdropping. The jitter between photon pairs stayed 
about the same and was dominated by timing jitter of 
the single-photon detectors, ~500ps full- width at half- 
magnitude for each detector. 

As Fig. [6] shows, Eve introduced an overall insertion 
delay of 212 ns. This went without any consequence, be- 
cause Alice and Bob synchronized their clocks by photon 
coincidences, which is a common practice in QKD sys- 
tems of this type. In general, the propagation delay is 
not authenticated and is not a part of the QKD secu- 
rity. We remark that if Alice and Bob synchronized their 
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FIG. 4. Click thresholds of the four detectors in Bob's 
PA versus blinding c.w. power. The dashed curves show 
the highest peak pulse power at which the detector still never 
clicks. The solid curves show the lowest peak pulse power at 
which it always clicks. Between these two thresholds, click 
probability of each detector increases gradually. The detec- 
tor recording photons of horizontal polarization (curves with 
squares) was the one tested in Fig. [2] 



clocks in some independent way (which is probably im- 
practical), Eve could cancel her insertion delay by short- 
ening the fibre-optic line and/or bypassing a part of the 
line by spatially separating her polarization analyser and 
FSG and establishing a line-of-sight radio- frequency link 
between them, in which signals travel ~1.5 times faster 
than in fibred. These tricks would not apply to systems 
using a free-space line-of-sight QKD link^ 2Q i 29 — , but 
so far none of them implemented a clock synchronization 
method that would fail because of Eve's insertion delay. 



C. Raw experimental data and Eve's key 
extraction software 

There were four eavesdropped QKD sessions over 2 h. 
For example, the second session lasted 5 min and pro- 
duced 393,323-bit sifted key, identical between Bob and 
Eve. The raw data recorded during this session and the 
script used to extract Eve's sifted key can be found in 
a single archive file: http://www.vadl.com/eve-extract- 
sifted-key.zip (74 MiB). The minimum disk space re- 
quired is 125 MiB, including files generated by running 
the script. 

The main script to do Eve's key extraction, named 
eve_extractsifted-key.m, can be found in the directory 
scripts-matlab, while the other files in this directory 
are functions called by the main script, and a log file 
proclog.txt will be generated after running the script. The 
script is written in MATLAB. We have tested it under 
both Windows and Linux. 
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FIG. 5. Complete Eve's setup forming an improved control diagram. This setup was used for all eavesdropping 
experiments reported in this article. Four LDs followed by FPCs comprise a pre-pulse generator (PPG). Timing of each main 
trigger pulse is adjusted by a trimmable time-delay (TD) circuit. The FPC before the PA is used to align Eve's polarization 
reference frame after inserting her into the line (similarly to the manual FPC used in Alice's setup for alignment during QKD 
system installation). 



The directory data-raw contains the raw experimental 
data from this session, recorded during the experiment. 
To obey realistic eavesdropping conditions, Eve only gets 
access to the classical channel where the transmission is 
public (and to her own computer), but not to Bob's or 
Alice's computers. Hence, the script is run only upon 
the timing and basis choice data sent from Bob to Alice 
(the subdirectory alice-receivefiles) , the sifting response 
returned from Alice (the subdirectory bob-receivefiles) , 
and Eve's own recorded click data (the subdirectory eve- 
raw- events). Although not used by the extraction script, 
both sifted and final secret keys recorded in Alice's and 
Bob's computers are also provided in the archive, to sat- 
isfy a curious reader. The final secret key is 218,462 bit 
long. 

After running the script, Eve's sifted key will be 
extracted and stored in a new directory named data- 
produced-by- scripts. The script then does a bitwise com- 
parison between Eve's and Bob's sifted keys, and reports 
the number of discrepancies (which is zero for all eaves- 
dropped QKD sessions). For convenience, both Bob's 
and Eve's sifted keys are also saved as two sets of ASCII 
files. 

All data is partitioned into files by epoch (defined as a 
time span of 2 29 ns « 0.537 s), except the final secret key 
which is stored in blocks of 9 epochs. All file formats are 
openly defined and documented—, and have been used in 
several QKD experiments previously^"—. 
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